From: P J P <ppandit@redhat.com>
To: qemu-devel@nongnu.org
Cc: Qinghao Tang <luodalongde@gmail.com>, Gerd Hoffmann <kraxel@redhat.com>
Subject: [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop
Date: Thu, 10 Dec 2015 18:51:04 +0530 (IST) [thread overview]
Message-ID: <alpine.LFD.2.20.1512101839390.2628@wniryva> (raw)
Hello Gerd,
An infinite loop issue was reported by Mr Qinghao Tang(CC'd), in the USB EHCI
emulator. In that, a malicious isochronous transfer descriptor(iTD) list could
unfold an infinite loop in the 'ehci_advance_state' routine, by always
setting 'again = 0 or 1'.
Please see below a proposed (tested)patch to fix this issue. Does it look
okay? Not sure if 'count=16' is good for an upper limit.
===
>From 4c4f46e8cb7ef661c707b2c477187e1f52c21cc9 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 10 Dec 2015 18:22:37 +0530
Subject: [PATCH] usb: hcd-ehci: add check to avoid an infinite loop
While communicating with the host controller interface(eHCI),
the driver makes use of an isochronous transfer descriptor(iTD)
list. When processing this list, USB EHCI emulator could run
into an infinite loop in 'ehci_advance_state' routine.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/usb/hcd-ehci.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 4e2161b..4e7e5db 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -2000,7 +2000,7 @@ static int ehci_state_writeback(EHCIQueue *q)
static void ehci_advance_state(EHCIState *ehci, int async)
{
EHCIQueue *q = NULL;
- int again;
+ int again, count = 0;
do {
switch(ehci_get_state(ehci, async)) {
@@ -2076,7 +2076,8 @@ static void ehci_advance_state(EHCIState *ehci, int async)
break;
}
- if (again < 0) {
+ count++;
+ if (again < 0 || count > 16) {
fprintf(stderr, "processing error - resetting ehci HC\n");
ehci_reset(ehci);
again = 0;
--
2.4.3
===
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
next reply other threads:[~2015-12-10 13:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-10 13:21 P J P [this message]
2015-12-14 8:30 ` [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop Gerd Hoffmann
2015-12-14 10:03 ` P J P
2015-12-14 10:26 ` Gerd Hoffmann
2015-12-14 10:46 ` P J P
2015-12-14 10:58 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LFD.2.20.1512101839390.2628@wniryva \
--to=ppandit@redhat.com \
--cc=kraxel@redhat.com \
--cc=luodalongde@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).